This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 64%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Hello, please can anybody tell me by this log, if my 2 servers had been compromised please? Thank you.
Server log
CVE-2021-26855
"2021-03-03T07:52:03.579Z","ServerInfo~a]@Testta .domain.local:444/autodiscover/autodiscover.xml?#"
"2021-03-04T23:03:44.923Z","ServerInfo~akak]@Testta .domain.local:444/autodiscover/autodiscover.xml?#"
"2021-03-05T05:37:27.400Z","ServerInfo~akak]@Testta .domain.local:444/autodiscover/autodiscover.xml?#"
"2021-03-05T16:44:51.174Z","ServerInfo~a]@Testta .domain.local:444/autodiscover/autodiscover.xml?#"
"2021-03-05T16:44:54.680Z","ServerInfo~a]@Testta .domain.local:444/autodiscover/autodiscover.xml?#"
"2021-03-05T16:45:32.913Z","ServerInfo~a]@Testta /autodiscover/autodiscover.xml#"
"2021-03-06T14:55:28.198Z","ServerInfo~burpcollaborator.net/ecp/default.flt?"
Probably. Consider opening a Microsoft support ticket or hiring a security consultant to investigate further:
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Personally, I would take all the Exchange Servers offline and rebuild them from scratch.
I opened ticket with Microsoft and microsoft told me they can not solve that issue with that type of ticket. You need to have premier support to get them at least start solving that. So Microsoft is not the one who will help you solve this problem.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 82%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEY%3C/text%3E%3C/svg%3E)
You could run the script here and it will give you the result like following if it's not affected:
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I ran that script and got result mentioned in the first post. I updated Excahnge to latest CU and updates meanwhile.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 8%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJW%3C/text%3E%3C/svg%3E)
But what must we do when the server is infected according to the script?
Restore server from backup. Now the first described case using of this vulnerability is on the end of January 2021.
Or pay some external expert who will check your server for you... or find company which has access to premium support (like we are doing now). But you cant be ever sure your system is clear because I think microsoft will not know it as well. There is no enough info about this attack and nobody knows who compromised your system and what he wanna do with that access. I have 2 exchanges comprimised. :(
But I'm missing a formal answer from Microsoft what to do. My recommendation is to scratch the server and rebuild, but I'd like hear that from Microsoft.
Hi,
Have you tried running the Microsoft Safety Scanner:https://learn.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download